A UK Member of Parliament doubles down on poor security habits

A UK Member of Parliament stepped in some deep doodoo recently, after she admitted that she routinely shared her office computer password with co-workers, including temporary interns. The revelation by MP Nadine Dorres was made on Twitter, and was meant to help a colleague who was accused of having pornography on his computer. But rather than helping, the incident raised serious questions about her poor cyber security habits, which she then tried to defend with poor excuses.

Just trying to be helpful, but not seeing the dangers

While authorities were trying to assert that Damian Green was responsible for the prohibited material that was found on his computer, Ms. Dorres figured it would be helpful to cast doubt on this argument. So, she tweeted “My staff log onto my computer on my desk with my login everyday. Including interns on exchange programs.”

When she decided to post this statement on Twitter, she clearly wasn’t expecting the backlash that came from many security professionals, and even regular citizens who understand the risks of sharing passwords. Here’s a link to the full story in The Guardian.

Why sharing passwords is really not a good idea

If it is true that many MP’s share their passwords routinely with staff, then it really could have been one of a number of people who may have had access to Mr. Green’s computer. However, it would also mean that there was a real problem with security in the MPs’ offices.

Unauthorized disclosure of sensitive information, which might be released to the public, damage innocent victims, or benefit individuals or organizations such as competitors or foreign governments; and

Unauthorized changing or deletion of official records that could also cause damage to individuals, organizations or the national interests

Think of situations where a disagreement arises, and one of the staff who knows the password becomes upset and adversarial, or where a worker is targeted for espionage by a foreign government, knowing where they work. Not many people expect the worst to happen.

The bottom line is that the inconveniences of having separate passwords and accounts for all staff, with good security habits reduce the risk of security incidents of many types, in any business.

Sometimes sharing a password is actually a good thing to do, but this is really only in cases of emergencies. After the emergency is passed, passwords should be changed. See my blog post about protecting your digital legacy, and make sure the right people have access to your passwords in an emergency, or when you die.

Security Tips

Individuals

Put passwords on your computer accounts, and log out when you are finished using them. Even if it’s just the neighbor, the cat-sitter or your children’s friends, there’s always a chance somebody could access your files and cause unexpected damage.

Employees

Make sure you never share your work password with anyone – not even an IT system administrator. It should never really be necessary. Sometimes, an assistant may need to send emails on behalf of their boss. In this case, there are features in email programs and calendars that allow people to delegate access properly, without having to use the same password.

Managers

Make sure you have unique accounts for all employees, to ensure security and accountability. Enable delegation features for email and calendars where they are needed.

If you or anyone you know of shares passwords, it’s time to talk. Please contact me to discuss the risks and what you can do to manage them properly.

As usual, if you enjoyed reading this post, you may wish to sign up to receive my Streetwise Security News by email by going to: https://www.streetsec.biz/news